首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. 付费问答
    3. 发新帖
[旧帖] [求助]一个地址效验软件的破解 0.00雪花
发表于: 2007-6-23 11:35 3997

[旧帖] [求助]一个地址效验软件的破解 0.00雪花

gangyang 活跃值
2007-6-23 11:35
3997
最近想用这个第3方控件对用户地址进行规范和校正,试用以后觉得效果很不错。
http://www.softwarecompany.com/dotnet/netaddress.htm
对破解完全是新手, 想请哪位大侠帮忙看看

License Manager应该是VB的代码,没有加壳。试用版装好后在注册表有以下设置
HKLM\SOFTWARE\The Software Company\NetAddress 3.5

"InstallDir"="C:\\Program Files\\The Software Company\\NetAddress 3.5\\"
"License"="21351200706200000002007062020154820070720000000000099900000000000000053912162000000000000060212499324224"

用IDA同SmartCheckk 看一下,觉得逻辑挺简单,但是我的汇编太烂,呵呵。
调入License Manager后,可以看见这个"License"项是关键,里面有安装的日期20070620还有失效的日期20070720, 还有剩下的调用次数999。20070620201548应该是安装时的时间。用它的带的实例程序运行几次,可以看见剩下的调用次数在减少。 用事先备份注册文件恢复
这个注册项,剩下的调用次数就可以恢复,可见这里是关键。注册项最后面部分的数字应该是对前面部分的效验码。仅仅修改剩下的调用次数,License Manager会出错。

.text:0040C63F loc_40C63F:                             ; CODE XREF: .text:0040C62Dj
.text:0040C63F lea     edx, [ebp-0ACh]
.text:0040C645 lea     eax, [ebp-3ECh]
.text:0040C64B push    edx
.text:0040C64C push    6
.text:0040C64E lea     ecx, [ebp-0BCh]
.text:0040C654 lea     edi, [esi+34h]
.text:0040C657 push    eax
.text:0040C658 push    ecx
.text:0040C659 mov     dword ptr [ebp-0A4h], 4
.text:0040C663 mov     dword ptr [ebp-0ACh], 2
.text:0040C66D mov     [ebp-3E4h], edi
.text:0040C673 mov     dword ptr [ebp-3ECh], 4008h
.text:0040C67D call    ds:rtcMidCharVar
.text:0040C683 lea     edx, [ebp-0CCh]
.text:0040C689 lea     eax, [ebp-40Ch]
.text:0040C68F push    edx
.text:0040C690 push    0Bh
.text:0040C692 lea     ecx, [ebp-0DCh]
.text:0040C698 push    eax
.text:0040C699 push    ecx
.text:0040C69A mov     dword ptr [ebp-0C4h], 4
.text:0040C6A4 mov     dword ptr [ebp-0CCh], 2
.text:0040C6AE mov     [ebp-404h], edi
.text:0040C6B4 mov     dword ptr [ebp-40Ch], 4008h
.text:0040C6BE call    ds:rtcMidCharVar
.text:0040C6C4 mov     eax, 2
.text:0040C6C9 lea     edx, [ebp-0FCh]
.text:0040C6CF mov     [ebp-0F4h], eax
.text:0040C6D5 mov     [ebp-0FCh], eax
.text:0040C6DB push    edx
.text:0040C6DC lea     eax, [ebp-42Ch]
.text:0040C6E2 push    10h
.text:0040C6E4 lea     ecx, [ebp-10Ch]
.text:0040C6EA push    eax
.text:0040C6EB push    ecx
.text:0040C6EC mov     [ebp-424h], edi
.text:0040C6F2 mov     dword ptr [ebp-42Ch], 4008h
.text:0040C6FC call    ds:rtcMidCharVar
.text:0040C702 mov     edi, ds:__vbaVarCat
.text:0040C708 lea     edx, [ebp-0BCh]
.text:0040C70E lea     eax, [ebp-0DCh]
.text:0040C714 push    edx
.text:0040C715 lea     ecx, [ebp-0ECh]
.text:0040C71B push    eax
.text:0040C71C push    ecx
.text:0040C71D call    edi ; __vbaVarCat
.text:0040C71F push    eax
.text:0040C720 lea     edx, [ebp-10Ch]
.text:0040C726 lea     eax, [ebp-11Ch]
.text:0040C72C push    edx
.text:0040C72D push    eax
.text:0040C72E call    edi ; __vbaVarCat
.text:0040C730 push    eax
.text:0040C731 call    ds:__vbaStrVarMove
.text:0040C737 lea     ecx, [ebp-3Ch]
.text:0040C73A push    eax
.text:0040C73B push    ecx
.text:0040C73C push    0Ah
.text:0040C73E call    ds:__vbaLsetFixstrFree
.text:0040C744 lea     edx, [ebp-11Ch]
.text:0040C74A lea     eax, [ebp-10Ch]
.text:0040C750 push    edx
.text:0040C751 lea     ecx, [ebp-0ECh]
.text:0040C757 push    eax
.text:0040C758 lea     edx, [ebp-0FCh]
.text:0040C75E push    ecx
.text:0040C75F lea     eax, [ebp-0DCh]
.text:0040C765 push    edx
.text:0040C766 lea     ecx, [ebp-0BCh]
.text:0040C76C push    eax
.text:0040C76D lea     edx, [ebp-0CCh]
.text:0040C773 push    ecx
.text:0040C774 lea     eax, [ebp-0ACh]
.text:0040C77A push    edx
.text:0040C77B push    eax
.text:0040C77C push    8
.text:0040C77E call    ds:__vbaFreeVarList
.text:0040C784 add     esp, 24h
.text:0040C787 lea     ecx, [ebp-28h]
.text:0040C78A push    ecx
.text:0040C78B push    0Ah
.text:0040C78D mov     edi, ds:__vbaStrFixstr
.text:0040C793 call    edi ; __vbaStrFixstr
.text:0040C795 mov     edx, eax
.text:0040C797 lea     ecx, [ebp-74h]
.text:0040C79A call    ds:__vbaStrMove
.text:0040C7A0 lea     edx, [ebp-3Ch]
.text:0040C7A3 push    eax
.text:0040C7A4 push    edx
.text:0040C7A5 push    0Ah
.text:0040C7A7 call    edi ; __vbaStrFixstr
.text:0040C7A9 mov     edx, eax
.text:0040C7AB lea     ecx, [ebp-78h]
.text:0040C7AE call    ds:__vbaStrMove
.text:0040C7B4 push    eax
.text:0040C7B5 call    ds:__vbaStrCmp
.text:0040C7BB neg     eax
.text:0040C7BD sbb     eax, eax
.text:0040C7BF lea     ecx, [ebp-74h]
.text:0040C7C2 neg     eax
.text:0040C7C4 neg     eax
.text:0040C7C6 mov     [ebp-480h], ax
.text:0040C7CD lea     eax, [ebp-78h]
.text:0040C7D0 push    eax
.text:0040C7D1 push    ecx
.text:0040C7D2 push    2
.text:0040C7D4 call    ds:__vbaFreeStrList
.text:0040C7DA add     esp, 0Ch
.text:0040C7DD cmp     [ebp-480h], bx
.text:0040C7E4 jz      loc_40C8A8
.text:0040C7E4
.text:0040C7EA mov     ecx, 0Ah
.text:0040C7EF mov     eax, 80020004h
.text:0040C7F4 mov     [ebp-0DCh], ecx
.text:0040C7FA mov     [ebp-0CCh], ecx
.text:0040C800 lea     edx, [ebp-3FCh]
.text:0040C806 lea     ecx, [ebp-0BCh]
.text:0040C80C mov     [ebp-0D4h], eax
.text:0040C812 mov     [ebp-0C4h], eax
.text:0040C818 mov     dword ptr [ebp-3F4h],offset s_Registration ; "Registration"
.text:0040C822 mov     dword ptr [ebp-3FCh], 8
.text:0040C82C call    ds:__vbaVarDup
.text:0040C832 lea     edx, [ebp-3ECh]
.text:0040C838 lea     ecx, [ebp-0ACh]
.text:0040C83E mov     dword ptr [ebp-3E4h], offset s_IncorrectLice ; "Incorrect License Key"
.text:0040C848 mov     dword ptr [ebp-3ECh], 8
.text:0040C852 call    ds:__vbaVarDup

我随意在License Manager输了个注册码
我用IDA 在0040C7E4 这里强制跳转到loc_40C8A8,注册成功的窗口出来了。 
.text:0040C7E4 jz      loc_40C8A8

但是后来在注册表里写入的注册项就是破损的。前面用来生成注册码的Call看不太懂。
求那位大侠帮指点一下。 小弟感谢万分。 

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (3)
gangyang
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
2
用高手的眼光来看可能太简单了。 我也觉得是一个很有趣的小程序。
2007-6-23 15:04
0
gangyang
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
3
自己顶一下, 很有用的小程序。
2007-6-24 10:14
0
gangyang
雪    币: 200
活跃值: (10)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
私信
4
刚才把注册号输完以后的这段代码找出来用IDA调试, 每次都搞到Lincense Manager死菜,呵呵。

Private Sub OKButton_Click() '421400
00421400: push ebp
00421401: mov ebp, esp
00421403: sub esp, 0000000Ch
00421406: push 00401426h ; MSVBVM60.DLL.__vbaExceptHandler
0042140B: mov eax, fs:[00h]
00421411: push eax
00421412: mov fs:[00000000h], esp
00421419: sub esp, 0000005Ch
0042141C: push ebx
0042141D: push esi
0042141E: push edi
0042141F: mov var_0C, esp
00421422: mov var_08, 004013C8h
00421429: mov edi, [ebp+08h]
0042142C: mov eax, edi
0042142E: and eax, 00000001h
00421431: mov var_04, eax
00421434: and edi, FFFFFFFEh
00421437: push edi
00421438: mov [ebp+08h], edi
0042143B: mov ecx, [edi]
0042143D: call [ecx+04h]
00421440: mov edx, [edi]
00421442: xor ebx, ebx
00421444: push edi
00421445: mov var_18, ebx
00421448: mov var_1C, ebx
0042144B: mov var_20, ebx
0042144E: mov var_30, ebx
00421451: mov var_40, ebx
00421454: mov var_50, ebx
00421457: call [edx+00000300h]
0042145D: push eax
0042145E: lea eax, var_20
00421461: push eax
00421462: call [0040106Ch] ; Set (object)
00421468: mov esi, eax
0042146A: lea edx, var_18
0042146D: push edx
0042146E: push esi
0042146F: mov ecx, [esi]
00421471: call [ecx+000000A0h]
00421477: cmp eax, ebx
00421479: fclex
0042147B: jnl 42148Fh
0042147D: push 000000A0h
00421482: push 00409C40h
00421487: push esi
00421488: push eax
00421489: call MSVBVM60.DLL.__vbaHresultCheckObj
0042148F: mov eax, var_18
00421492: lea ecx, var_40
00421495: mov var_28, eax
00421498: lea eax, var_30
0042149B: push eax
0042149C: push ecx
0042149D: mov var_18, ebx
004214A0: mov var_30, 00000008h
004214A7: call [00401090h] ; arg_1 = Trim(arg_2)
004214AD: cmp [00423010h], ebx
004214B3: jnz 4214C5h
004214B5: push 00423010h
004214BA: push 00408D4Ch
004214BF: call MSVBVM60.DLL.__vbaNew2
004214C5: mov esi, [00423010h] ;
004214CB: push ebx
004214CC: lea edx, var_40
004214CF: push 00000001h
004214D1: lea eax, var_50
004214D4: push edx
004214D5: push eax
004214D6: call MSVBVM60.DLL.rtcStrConvVar2
004214DC: mov ebx, [esi]
004214DE: lea ecx, var_50
004214E1: lea edx, var_1C
004214E4: push ecx
004214E5: push edx
004214E6: call MSVBVM60.DLL.__vbaStrVarVal
004214EC: push eax
004214ED: push esi
004214EE: call [ebx+000006FCh]
004214F4: test eax, eax
004214F6: fclex
004214F8: jnl 42150Ch
004214FA: push 000006FCh
004214FF: push 00409910h
00421504: push esi
00421505: push eax
00421506: call MSVBVM60.DLL.__vbaHresultCheckObj
0042150C: lea ecx, var_1C
0042150F: call MSVBVM60.DLL.__vbaFreeStr
00421515: mov ebx, MSVBVM60.DLL.__vbaFreeObj
0042151B: lea ecx, var_20
0042151E: call ebx
00421520: lea eax, var_50
00421523: lea ecx, var_40
00421526: push eax
00421527: lea edx, var_30
0042152A: push ecx
0042152B: push edx
0042152C: push 00000003h
0042152E: call MSVBVM60.DLL.__vbaFreeVarList
00421534: mov eax, [42346Ch]
00421539: add esp, 00000010h
0042153C: test eax, eax
0042153E: jnz 421550h
00421540: push 0042346Ch
00421545: push 00409F58h
0042154A: call MSVBVM60.DLL.__vbaNew2
00421550: mov esi, [0042346Ch] ;
00421556: lea eax, var_20
00421559: push edi
0042155A: push eax
0042155B: mov edx, [esi]
0042155D: mov var_70, edx
00421560: call MSVBVM60.DLL.__vbaObjSetAddref
00421566: mov ecx, var_70
00421569: push eax
0042156A: push esi
0042156B: call [ecx+10h]
0042156E: test eax, eax
00421570: fclex
00421572: jnl 421583h
00421574: push 00000010h
00421576: push 00409F48h
0042157B: push esi
0042157C: push eax
0042157D: call MSVBVM60.DLL.__vbaHresultCheckObj
00421583: lea ecx, var_20
00421586: call ebx
00421588: mov var_04, 00000000h
0042158F: push 004215CBh
00421594: jmp 4215CAh
00421596: lea edx, var_1C
00421599: lea eax, var_18
0042159C: push edx
0042159D: push eax
0042159E: push 00000002h
004215A0: call MSVBVM60.DLL.__vbaFreeStrList
004215A6: add esp, 0000000Ch
004215A9: lea ecx, var_20
004215AC: call MSVBVM60.DLL.__vbaFreeObj
004215B2: lea ecx, var_50
004215B5: lea edx, var_40
004215B8: push ecx
004215B9: lea eax, var_30
004215BC: push edx
004215BD: push eax
004215BE: push 00000003h
004215C0: call MSVBVM60.DLL.__vbaFreeVarList
004215C6: add esp, 00000010h
004215C9: ret
End Sub
2007-6-24 23:58
0
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//